secondaryparameters in RST to WSO2 Identity Server ignored

66 Views Asked by At

I have to write a .NET WCF Service which relies on SAML2 Tokens issued by WSO2 Identity Server. It is afforded that everything from wst:secondaryparameters (eg. Claims) is validated by the WSO2 Security Token Service. I'm not able to do this, because it seems that WSO2 is ignoring the secondaryparameters. If I request the claims directly under the RequestSecurityToken they are validated correctly in the RSTR.

Here's my sample RST created with Soap-UI for testing purposes:

 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header/>
    <soap:Body>
        <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
            <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
            <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
            <wsp:AppliesTo>
                <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                    <wsa:Address>https://example.com</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:SecondaryParameters>
                <wst:Claims wst:Dialect="http://wso2.org">
                    <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"/>
                    <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"/>
                    <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/username"/>
                </wst:Claims>
            </wst:SecondaryParameters>
        </wst:RequestSecurityToken>
    </soap:Body>
</soap:Envelope>

...and the RSTR received by WSO2 STS - missing the Claims requested:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsu:Timestamp wsu:Id="Timestamp-75" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2021-06-10T09:59:22.813Z</wsu:Created>
            <wsu:Expires>2021-06-10T10:04:22.813Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
         <wst:RequestSecurityTokenResponse>
            <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
            <wst:RequestedAttachedReference>
               <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                  <wsse:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
               </wsse:SecurityTokenReference>
            </wst:RequestedAttachedReference>
            <wst:RequestedUnattachedReference>
               <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                  <wsse:Reference URI="urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
               </wsse:SecurityTokenReference>
            </wst:RequestedUnattachedReference>
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
               <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                  <wsa:Address>https://example.com</wsa:Address>
               </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:Lifetime>
               <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T09:59:22.703Z</wsu:Created>
               <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T10:04:22.703Z</wsu:Expires>
            </wst:Lifetime>
            <wst:RequestedSecurityToken>
               <saml2:Assertion ID="urn:uuid:EB6235F9B55E496D821623319162707" IssueInstant="2021-06-10T09:59:22.703Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                  <saml2:Issuer>https://sts.example.com</saml2:Issuer>
                  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                     <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707">
                           <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           </ds:Transforms>
                           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                           <ds:DigestValue>Ty9kARjgU99DnLmK5g8UQeP0ekM=</ds:DigestValue>
                        </ds:Reference>
                     </ds:SignedInfo>
                     <ds:SignatureValue>RPZEPn9oJeQLKE/Fk0jqRUaTnlOvpwcL6iuPKnSi0MbUNf6sbZBC1jmrz8YfLm5XYUpfxQTXv7Xm
9Ck5B61dXevke/MiiZhHViSGeRhumPyLmNGTyMTZMuKEUs/J+xAtjCOgGM7vo6QfILooYfGMBoP+
u22ITTyjiTDwShTGaj9E54FvtO3AAjA27LDNZu2gM8eDdNKKvS6wfq32WVsoNBRaJ3sjC0fshlp7
eBljJhovQ7/Ll8/4PeriaQtXagp9Xsn56nEW8iEBzFQUg9ViVqnr5Jk5GhfbfhXOYRTmZvDBFdRO
r9D4bH97BGbkmRH4+Ha0AtpjO2JdSaPIBQq61Q==</ds:SignatureValue>
                     <ds:KeyInfo>
                        <ds:X509Data>
                           <ds:X509Certificate>MIIDYDCCAkigAwIBAgIEDUzx7TANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJMSzELMAkGA1UE
CBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRXc28yMQswCQYDVQQLEwJJczEVMBMGA1UEAxMM
c3RzLm11a2kuY29tMB4XDTIxMDYwNzEzNDc0NloXDTIxMDkwNTEzNDc0NlowWjELMAkGA1UEBhMC
TEsxCzAJBgNVBAgTAldTMQswCQYDVQQHEwJTTDENMAsGA1UEChMEV3NvMjELMAkGA1UECxMCSXMx
FTATBgNVBAMTDHN0cy5tdWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJR3
QeuRdQwidvlyKPi+CPWIpp6qmS0LIxlNSJpmu+e1al5Et6WtNPBKra/d2viKZ19HIhBgk6DVduyG
TnWBW+Dqu1pJ4+6Ks4jxnr8ofB7vr9dUHNxXqNW/HkLiDhMH4GxbcSlG3/7r3bgTBRYHHwxMFoHA
PJ6KaFFYGvfyBhdrprtbqlFJZ5pUfGlAZCdNFu5ES6F+ZEMLbUQv5nv5JsdxbH8X3lTkf7cHYfMP
ucC5mspJMcZWFpZ/AbaT8hQiNY9LalcFYaP/nwymxPXRWn/s/8SODHtcLm27JQPgNFTJK9jr9dBp
SDZubcqFTvECQYZrXwFuR/gS+yufQxf5yqMCAwEAAaMuMCwwHQYDVR0OBBYEFKNHL3ppD1CNxUYe
APM/KYoNahSSMAsGA1UdDwQEAwIEEDANBgkqhkiG9w0BAQsFAAOCAQEAVgSqQC3hQvbmJFMx+S8B
YiRSkWvARFusBTU6oZVLvwbxGYUqKnoUGJKEYvnmJA6bKOvWFOafX22elYFOMNLF8HxY4zjYyZMn
a+RCg00nH7Wgl8GGXtYc7MsUfaVdD5kUxBuiADUTeJQf+kjd3MIZ9gvIAE9/XSENa+6n3/jiPJcY
6xTXfov+FB7sM3aE5R8Fy1Jwmry5Sr+TdpTQ9w0jZkjWH/ED8SB/OxiPH8tQ26dTkabpokJiL6cc
kAOpOfAOPqtclWaMRm12Qwg2yL1kAXbzw5/eDyGlJYd2Y6QFt7dBW1mS+XrGqcsewt7PDtnSEa8U
lNF13dcErg3bnzaJsQ==</ds:X509Certificate>
                        </ds:X509Data>
                     </ds:KeyInfo>
                  </ds:Signature>
                  <saml2:Subject>
                     <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser</saml2:NameID>
                     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
                  </saml2:Subject>
                  <saml2:Conditions NotBefore="2021-06-10T09:59:22.703Z" NotOnOrAfter="2021-06-10T10:04:22.703Z">
                     <saml2:AudienceRestriction>
                        <saml2:Audience>https://example.com</saml2:Audience>
                     </saml2:AudienceRestriction>
                  </saml2:Conditions>
                  <saml2:AuthnStatement AuthnInstant="2021-06-10T09:59:22.754Z">
                     <saml2:AuthnContext>
                        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                     </saml2:AuthnContext>
                  </saml2:AuthnStatement>
               </saml2:Assertion>
            </wst:RequestedSecurityToken>
         </wst:RequestSecurityTokenResponse>
      </wst:RequestSecurityTokenResponseCollection>
   </soapenv:Body>
</soapenv:Envelope>

How can I correctly request the secondaryparameters specified in WS-Trust 1.4 from WSO2 STS?

0

There are 0 best solutions below